1. account_pre-hijacking

/SSO Single Sign-On (SSO), federated identity management

/メイルアドレス をid として使うサービスで危ない場合がある。

/Non-Verifying_IdP

1.1. research

Avinash Sudhodanan in collaboration with Andrew Paverd

New Research Paper: Pre-hijacking Attacks on Web User Accounts

https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/

identity theftの手口のいくつか Microsoft Security Response Center /microsoft

if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, 
the attacker could then use various techniques to put the account into a pre-hijacked state. 

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

https://arxiv.org/abs/2205.10174

https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf

4 Account Pre-Hijacking Attacks /4

For all these attacks, the attacker needs to identify services at which 
the victim does not yet have an account but is likely to create one in future. 

Root Cause and Mitigation

Fundamentally, the root cause of account pre-hijacking vulnerabilities is that 
the service fails to verify that the user actually owns the supplied identifier 
(e.g. email address or phone number) before allowing use of the account. 

Although many services require identifier verification, 
they often do so asynchronously, 
allowing the user (or attacker) to use certain features of the account
before the identifier has been verified. 
Whilst this might improve usability, 
it creates a window of vulnerability for pre-hijacking attacks.

1.2. 紹介記事

https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/

https://www.theregister.com/2022/05/25/web_pre_hijacking/

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds Ben Dickson 30 May 2022 at 15:30 UTC

https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds

CategoryDns CategoryWatch CategoryTemplate